SANS ISC InfoSec Forums

We have received a report from Tyler that a vulnerability affecting Microsoft SMB2 can be remotely crashed with proof-of-concept code that has been published yesterday and a Metasploit module is out.

We have confirmed it affects Windows 7/Vista/Server 2008. The exploit needs no authentication, only file sharing enabled with one 1 packet to create a BSOD. We recommend filtering access to port TCP 445 with a firewall.

I have seen port 445 scanning on average one every three minutes per target IP for a few weeks now. This is much higher than normal for my networks. Chances are this exploit was known before now and is just reaching the kit level. There is much more early distribution of real exploit code going on now than ever before, especially if it does more than a simple DoS.

Perhaps, but more likely they're looking for any number of other SMB vulnerabilities that have been disclosed over the past 2 years. SMB has got to be one of the biggest offenders for 0days from Microsoft for a while now. In our enterprise, the top vulns are all SMB or Adobe based.